Monday, October 28, 2013

Every once in a while we see a spam campaign where we dig in to the complexity, expecting to find malware, and find that the criminal has just built an extremely fool-proof phishing system for their daily phish. Such was the case on an American Express phishing campaign that we saw today over at Malcovery Security.

The spam messages started flowing shortly before 9 AM, and by 10:30 we had received 548 copies of a spam email that looked like this:

The subject line was always "Fraud Alert: Irregular Card Activity"

The From address was always "American Express (fraud@aexp.com)"

But the highlighted link that claims it will take you to https://www.americanexpress.com/ actually goes to one of 419 URLs on one of 57 compromised webservers. The list of servers is:

Each of those index.html pages was actually a redirector that posted a message in a box that said "Connecting to server..." while it tried to load one of three JavaScript files from three different locations. Between all of the boxes, we saw a total of ten of these JavaScript files:

Here's the Phish Walk Through once we finally arrive at one of the three destination phishing sites:

First they ask for the Userid and password

Then the Social Security number, your birthdate, your mother's maiden name, her birthdate, and a PIN.

Now the card number . . .

And the expiration date . . .

And finally your 5,000 Reward points are awarded, and you are forwarded to the actual AmEx page.

So, to gather the userid and password of a few hundred American Express card holders, the phisher today was willing and able to break in to SEVENTY web servers ... 57 used in the spam ... 10 more used for the JavaScript Redirection scrips ... and 3 used for the actual phishing hosts.